Image courtesy: Pixabay
In an interconnected world, using a cloud based infrastructure is highly likely for most smart
cities. However, conforming to common industry standards and the applicable law, also apply to these structures, whether they are a cloud platform or within a data space. Failure in either area could result in penalties based on security issues and reputational damage, in addition to unauthorised access and harm to individuals.
To provide guidance for smart cities, D1.7 provides recommendations for navigating the European Cloud Infrastructure including the below takeaways.
1. Location of the cloud and dataspaces
As cloud providers operate globally and may be regulated outside European legal frameworks, smart cities should be sure to duly assess if European based personal data is protected by assessing if the GDPR applies to the service provider. GDPR applies if the service provider is based within the EU, regardless of whether the processing takes place in the EU or not, or if the service provider is not based in the EU but personal data of data subjects who are in the EU are processed in certain cases.
If the service provider does not offer a data center within the EU, it is recommended to carry out a Transfer Risk Assessment addressing the flow of data and the receiving location’s data regulations. This should include whether such country is covered by a current EU Adequacy Decision, and if data can be processed with safeguards such as Standard data protection Contractual Clauses (SCCs) adopted or approved by the European Commission, or Binding Corporate Rules (BCRs), codes of conduct to govern the processing of data in the third country.
Ultimately however, smart cities should consider if an alternative service can be used with a data center situated in the EU.
2. Reconciling existing regulation with the shift to dataspaces
It is evident that current legal frameworks are curated for an infrastructure focused on cloud infrastructures, rather than data and information focused data spaces. In practice, utilising data spaces would allow for data to be shared across nine industries: Health, Industrial, Agriculture, Finance, Mobility, Green Deal, Energy, Public Administration, and Skills.
For smart cities, it will be important to define data sovereignty principles and clear ownership of data to allow for protection of personal data. In practice this means anonymising data and ensuing there is a clear owner of data points who can respond to GDPR orientated data subject requests when they arise. In particular, smart cities may lead to the blurring of the processor and controller rule within data spaces. Smart cities should therefore ask:
Is the chosen cloud environment providing any additional services, such as cloud-provided AI tools? If so, does the Smart City own all the outputs from this service?
If cloud provided tools have access to personal data, additional clauses should be agreed that processing shall only occur on the Smart City's instructions and no rights in the outputs shall be transferred to the cloud provider.
Does the cloud provider/data space have access to data stored? Will the cloud provider use the data to improve their own services and products? If cloud provided tools have access to personal data, additional clauses should be agreed that processing shall only occur on the Smart City's instructions and the outputs will only be used by the Smart City.
If data is shared in a data space, who has ownership over the imputed data and takes the role as a controller? Clear delineation of roles and responsibilities should be defined within the data space before the Smart City shares data.
If data is shared in a data space, are there mechanisms in place to ensure the security and protection of personal data whether through technical or organisational security measures?
3. A middle way could be achieved with ‘Data Altruism’
The concept of Data Altruism under the Data Governance Act (the ‘DGA’), where entities can agree to their data being used for the public good, may provide an alternative for smart cities while respecting data subject rights. Under the DGA Article 2, Data Altruism is “the consent by data subjects to process personal data pertaining to them, or permissions of other data holders to allow the use of their non-personal data without seeking a reward, for purposes of general interest, such as scientific research purposes or improving public services…”. In practice, smart cities must operate on a not-for-profit basis and be independent from any entity that operates on a for-profit basis and perform the activities related to data altruism through a legally independent structure, separate from other activities undertaken to be eligible, in addition to notifying data subjects that data collected is for the general interest and gaining their consent for processing.